Today’s security and compliance environment is challenging, and no single vendor can solve the entire problem for you. CyberArk understands this, which is why we’ve created a powerful ecosystem of technology and channel partners that can provide you with a complete solution for your privileged account security and compliance requirements.

CyberArk’s award-winning software protects the high value assets of leading companies and government organizations around the world. We take that responsibility seriously. That’s why we only hire the best.

BLOG POST

How LXC Works

LXC containers are built from templates, which are basically shell scripts. If the shell script uses some additional software, you have to have that software installed or the template won’t work. Here are some typical dependencies of common templates:

Bridge utils (namely utility brctl) for managing Linux bridges;

Debootstrap to install the system based on Debian from an already running an OS. You will need it if you decide to use a template to create a container with Ubuntu or Debian (or any other Debian-based distro);

The files in an LXC container are simply the files in /var/lib/lxc/<container-name>, a directory which contains:

rootfs – contains files of the guest OS

config – configuration file for a container

fstab – contains mount information in fstab format

The workflow with LXC proceeds according to the following basic pattern:

Start a new LXC container, using a base template.

Install software and otherwise configure the container.

At checkpoints, clone the container to create “frozen” copies (not be confused with lxc-freeze). This operation does nothing more than create copies of the container filesystem in /var/lib/lxc/<new-container>/rootfs.

Once you have a working container, all you have to do is create a tarball of the files. The container can then be launched on a different server by transferring the tarball, unpacking it, and running it using LXC tools.

A Simple Example

Finally, create a first container:

$ sudo lxc-create -t ubuntu -n ubuntu-01

The first time it will be delayed for five minutes, as lxc-create will start ubuntu’s template, which build a new rootfs and copies it to the folder /var/lib/lxc/ubuntu-01. LXC usually uses /var/lib/lxc/ storage containers, /var/cache/lxc/ use as a place to cache (mainly used by lxc-create and templates).

Let’s start it soon (login and password are ubuntu):

$ sudo lxc-start -F -n ubuntu-01

Please note that the guest OS has its own init process, as well there is a running sshd, and in general it is not very different from if it running somewhere on EC2. Running ifconfig you will see that the container has a network interface configured for DHCP Address – This is the default, so you do not need to worry about it. Go back out of the container to your host shell, only shutting down the container, and to achieve this in two ways:

Shutdown command in the container: $ sudo shutdown -h now

Close the console window.

It happened because you run the container without using a key -d (this’s default behaviour for old versions of LXC) and with option -F (foreground). LXC does not allow detach from the container when it was launched not in the background.

Templates

Templates are just an executable file written in bash (but not necessarily), creating the container rootfs. lxc-create invokes a template and performs the rest of the work to create the container. Keep in mind that many template scripts have dependencies on additional programs, which are mentioned in the beginning of this article. Templates can be found in /usr/share/lxc/templates templates.